Distance-revealing encryption

ABSTRACT

A method for computing the distance between two encrypted data vectors using elliptic curve cryptography.

TECHNICAL FIELD

Various exemplary embodiments disclosed herein relate generally to distance-revealing encryption.

BACKGROUND

Distance-revealing encryption is a primitive related to functional encryption (FE), a generalization of public-key encryption which allows a party to learn a function of the input plaintext (or multiple plaintexts in the case of multi-input functional encryption (MIFE)). More specifically, distance-revealing encryption adds the useful feature that given any two ciphertexts, the Euclidean distance between the corresponding plaintexts—viewed as vectors—can be evaluated publicly; that is, without the knowledge of the private decryption key.

SUMMARY

A brief summary of various exemplary embodiments is presented below. Some simplifications and omissions may be made in the following summary, which is intended to highlight and introduce some aspects of the various exemplary embodiments, but not to limit the scope of the invention. Detailed descriptions of an exemplary embodiment adequate to allow those of ordinary skill in the art to make and use the inventive concepts will follow in later sections.

Various embodiments relate to method for performing distance revealing encryption, including: generating a tuple (

₁,

₂,

_(T),ê), where

₁=

g₁

,

₂=

g₂

and

_(T) are groups whose order is |

₁|=|

₂|=|

_(T)|=p with p prime and ê:

₁×

₂→

_(T) is a bilinear pairing and is non-degenerate; randomly select a first plurality elements and a second plurality of elements; defining a parameter h that is based upon ê,g₁,g₂, and the first plurality of elements; selecting a pseudo-random function family indexed by a secret key K; setting public parameters as ê,

₁,

₂,

_(T),p,h; setting private parameters as g₁, g₂, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret key K; encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of components in the message by:

choosing a random value r; computing a plurality of values of the pseudo random function; and computing a first plurality of ciphertext values based upon g₁, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}; and computing a second plurality of ciphertext values based upon g₂, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}.

Further various embodiments relate to a non-transitory machine-readable storage medium encoded with instructions for execution by a processor for performing distance revealing encryption, including: instructions for generating a tuple

₁,

₂,

_(T), ê, where

₁=

g₁

,

₂=

g₂

and

_(T) are groups whose order is |

₁|=|

₂|=|

_(T)|=p with p prime and ê:

₁×

₂→

_(T) is a bilinear pairing and is non-degenerate; instructions for randomly select a first plurality elements and a second plurality of elements; instructions for defining a parameter h that is based upon ê,g₁,g₂, and the first plurality of elements; instructions for selecting a pseudo-random function family indexed by a secret key K; instructions for setting public parameters as ê,

₁,

₂,

_(T),p,h; instructions for setting private parameters as g₁, g₂, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret hey K; instructions for encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of components in the message by: choosing a random value r; computing a plurality of values of the pseudo random function; and computing a first plurality of ciphertext values based upon g₁, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}; and computing a second plurality of ciphertext values based upon g₂, random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}.

Various embodiments are described, wherein the first plurality of elements are α,β,ξ,η and are selected such that (α+β)ξη≢0(mod p), and the second plurality of elements are μ₁, . . . ,μ_(n) and are selected such that Σ_(i=1) ^(n)μ_(i) ²≡0(mod p).

Various embodiments are described, wherein the parameter h=ê(b₁,g₂)^((α+β)ξη).

Various embodiments are described, wherein the first plurality of ciphertext values are calculated as c_(i,1)=g₁ ^(ξ(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i) and c_(i,2)=g₁ ^(αξ(x) ^(i) ^(+t) ^(i) ^()−βrμ) ^(i) for 1≤i≤n, where t_(i) are the plurality of values of the pseudo random function, and the second plurality of ciphertext values are calculated as d_(i,1)=g₂ ^(βη(x) ^(i) ^(+t) ^(i) ^()−αrμ) ^(i) and d_(i,2)=g₂ ^(η(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i) for 1≤i≤n.

Various embodiments are described, wherein t_(i)=F_(K)(τ,i) where tag τ is a value associated with the message {right arrow over (x)}.

Various embodiments are described, further including determining the distance between two encrypted messages {right arrow over (x)} and {right arrow over (x)}′ by calculating:

$Z:={\prod\limits_{i = 1}^{n}\;{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {{\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,2}^{\prime}}} \right)}.}}}$

Further various embodiments relate to a method for performing distance revealing encryption, including: generating a tuple (

,

_(T),ê), where

=

g

and

_(T) are groups whose order is |

|=|

_(T)|=p with p prime and ê:

×

→

_(T) is a bilinear pairing and is non-degenerate; randomly select a first plurality elements and a second plurality of elements; defining a parameter h that is based upon ê,

and the first plurality of elements; selecting a pseudo-random function family indexed by a secret key K; setting public parameters as ê,

,

_(T),p,h, setting private parameters as g, the first plurality of elements the second plurality of elements, the pseudo-random function family, and the secret key K; encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of elements in the message by: choosing a random value r; computing a plurality of values of the pseudo random function; and computing a plurality of ciphertext values based upon g, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}.

Further various embodiments relate to a non-transitory machine-readable storage medium encoded with instructions for execution by a processor for performing distance revealing encryption, including: instructions for generating a tuple (

,

_(T),ê), where

=

g

and

_(T) are groups whose order is |

|=|

_(T)|=p with p prime and ê:

×

→

_(T) is a bilinear pairing and is non-degenerate; instructions for randomly select a first plurality elements and a second plurality of elements; instructions for defining a parameter h that is based upon ê, g, and the first plurality of elements; instructions for selecting a pseudo-random function family indexed by a secret key K; instructions for setting public parameters as ê,

,

_(T),p,h, instructions for setting private parameters as g, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret key K; instructions for encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of elements in the message by: choosing a random value r; computing a plurality of values of the pseudo random function; and computing a plurality of ciphertext values based upon g, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}.

Various embodiments are described, wherein the first plurality of elements are α,β,ξ,η and are selected such that (α+β)ξη≢0(mod p), and the second plurality of elements are μ₁, . . . ,μ_(n) and are selected such that Σ_(i=1) ^(n)μ_(i) ²≡0(mod p).

Various embodiments are described, wherein the parameter h=ê(g₁,g₂)^((α+β)ξη).

Various embodiments are described, wherein the first plurality of ciphertext values are calculated as c_(i,1)=g₁ ^(ξ(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i) and c_(i,2)=g₁ ^(αξ(x) ^(i) ^(+t) ^(i) ^()−βrη) ^(i) for 1≤i≤n, where t_(i) are the plurality of values of the pseudo random function, and the second plurality of ciphertext values are calculated as d_(i,1)=g₂ ^(βη(x) ^(i) ^(+t) ^(i) ^()−αrμ) ^(i) and d_(i,2)=g₂ ^(η(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i) for 1≤i≤n.

Various embodiments are described, wherein t_(i)=F_(K)(τ, i) where tag τ is a value associated with the message {right arrow over (x)}.

Various embodiments are described, further including determining the distance between two encrypted messages {right arrow over (x)} and {right arrow over (x)}′ by calculating:

$Z:={\prod\limits_{i = 1}^{n}\;{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {{\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,2}^{\prime}}} \right)}.}}}$

BRIEF DESCRIPTION OF THE DRAWINGS

In order to better understand various exemplary embodiments, reference is made to the accompanying drawings, wherein:

FIG. 1 illustrates a flow diagram of the distance-revealing encryption method.

To facilitate understanding, identical reference numerals have been used to designate elements having substantially the same or similar structure and/or substantially the same or similar function.

DETAILED DESCRIPTION

The description and drawings illustrate the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the invention and are included within its scope. Furthermore, all examples recited herein are principally intended expressly to be for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Additionally, the term, “or,” as used herein, refers to a non-exclusive or (i.e., and/or), unless otherwise indicated (e.g., “or else” or “or in the alternative”). Also, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments.

Two embodiments of distance-revealing encryption schemes are described below. These schemes make use of non-degenerate bilinear maps. Those maps may be constructed from pairings over elliptic curves. These two embodiments provide for a secure and computationally efficient method for encrypting data that can then be processed to determine the distance between two data points from their encrypted values, without ever decrypting.

There are two forms of bilinear maps commonly used in the cryptography literature. The first are of the form ê:

₁×

₂→

_(T), where

₁,

₂ and

_(T) are cyclic groups of prime order p. The second are of the form ê:

×

→

_(T) where

and

_(T) are cyclic groups of prime order p.

The second form can be seen as a particular case of the first one by setting

₁=

₂=

. Embodiments using both forms are described. The different groups will be written multiplicatively with identity element 1.

Let

₁=

g₁

and

₂=

g₂

. Two properties of map ê are important: 1) bilinearity for any a, b∈

_(p), ê(g₁ ^(a),g₂ ^(b))=ê(g₁,g₂) and 2) non-degeneracy ê(g₁,g₂)≠1.

The non-degeneracy property implies that ê(g₁,g₂) is a generator of the target group; that is,

_(T)=

ê(g₁,g₂)

.

By construction, a good encryption scheme should be such that its output is uniformly distributed over the ciphertext space. Assume the message space is the set of n-dimension vectors whose components are l-bit strings,

=({0,1}^(l))^(n). Consider also a pseudo-random function family, F_(K):{0,1}*×{0,1}^(n)→

_(p), indexed by a secret key K. A simple construction for distance-revealing encryption could be as follows: given a message {right arrow over (x)}=(x₁, . . . , x_(n))∈

with tag τ, its encryption is given by

=(c₁, . . . , c_(n)) where c _(i)=[F _(K)(τ,i)+x _(i)]mod p.

Then the (square of) distance between any two plaintexts, given their ciphertexts

=(c₁, . . . , c_(n)) and

′=(c′₁, . . . , c′_(n)), can be obtained as:

${{\overset{\rightarrow}{x} - \overset{\rightarrow}{x^{\prime}}}}^{2} = {\sum\limits_{i = 1}^{n}\;{\left( {c_{i} - c_{i}^{\prime}} \right)^{2}\mspace{31mu}{\left( {{mod}\mspace{14mu} p} \right).}}}$

While this encryption scheme is very efficient, this encryption scheme leaks to much information. In particular, it provides the difference between any two components of plaintexts; namely, c_(i)−c′_(i)=x_(i)−x′_(i) (mod p) for any i∈{1, . . . , n}. In turn, this implies that the knowledge of a single pair of plaintext/ciphertext allows one to decrypt any ciphertext.

FIG. 1 illustrates a flow diagram of a distance revealing encryption method. The method 100 begins at 105. Next, a tuple including specific points and a mapping function is generated 110. The method 100 then randomly selects a first and second plurality of elements 115. Next, the method 100 defines a parameter h based upon the generated tuple 120. The method 110 then selects a pseudo random function family 125. Next, the method 100 sets the public and private parameters 130, which are essentially a public and private key. The method 100 then encrypts a message 135. Finally, the method 100 evaluates the distance between two encrypted messages 140. The method 100 then ends at 145. Further, details for the two embodiments will be provided below.

Embodiments will now be described that aim at providing solutions so that only the distance between plaintexts can be inferred from the ciphertexts. Two schemes are proposed. The first one makes use of asymmetric pairings and the second one of symmetric pairings.

The first scheme may be described by the following steps.

First, define a Setup (1^(K),n) algorithm. The value n indicates the number of components in the message (viewed as a vector of dimension n) to be encrypted. On the input security parameter 1^(K), the Setup (1^(K),n) algorithm generates the tuple (

₁,

₂,

_(T),ê) where

₁=

g₁

,

₂=

g₂

and

_(T) are (multiplicatively written) groups whose order is |

₁|=|

₂|=|

_(T)|=p with p prime, and ê:

₁×

₂→

_(T) is a bilinear pairing. The message space

is a subset of (

_(p))^(n); for example,

=({0,1}^(l−1))^(n) where l denotes the bit-length of p. The Setup (1^(K),n) algorithm also selects n+4 elements α,β,ξ,η,μ₁, . . . ,μ_(n)∈

_(p) such that: (α+β)ξη≢0(mod p); and Σ_(i=1) ^(n)μ_(i) ²≡0(mod p).

Next, the Setup (1^(K),n) algorithm defines h=ê(g₁,g₂)^((α+β)ξη)∈

_(T). Finally, the Setup (1^(K),n) algorithm selects a pseudo-random function family, F_(K):{0,1}*×{1, . . . , n}→

_(p), indexed by a secret key and randomly chooses

$K\overset{\$}{\longleftarrow}{{{KeyGen}\left( 1^{\kappa} \right)}.}$

The public parameters are pp=(ê,

₁,

₂,

_(T),p,h) and the secret key is sk=(g₁,g₂,α,β,ξ,η,{μ_(i)}_(1≤i≤n),F_(K),K). This is public key and the private key.

Next, define an Enc (sk,{right arrow over (x)},τ) algorithm. The encryption of message {right arrow over (x)}=(x₁, . . . , x_(n))∈

with tag τ (which is an identifier associated with the message) is obtained by performing the following two steps:

1) choose uniformly at random

${r\overset{\$}{\longleftarrow}{\mathbb{Z}}_{p}};$ and

2) for 1≤i≤n, compute t_(i)=F_(K)(τ,i) and

$\quad\left\{ \begin{matrix} {{c_{i,1} = g_{1}^{{\xi{({x_{i} + t_{i}})}} + {r\;\mu_{i}}}},} & {{c_{i,2} = g_{1}^{{{\alpha\xi}{({x_{i} + t_{i}})}} - {\beta\; r\;\mu_{i}}}},} \\ {{d_{i,1} = g_{2}^{{{\beta\eta}{({x_{i} + t_{i}})}} - {\alpha\; r\;\mu_{i}}}},} & {d_{i,2} = {g_{2}^{{\eta{({x_{i} + t_{i}})}} + {r\;\mu_{i}}}.}} \end{matrix} \right.$

The ciphertext is

=(C,D,τ) with C=(c_(1,1), c_(1,2), . . . , c_(n,1), c_(n,2))∈(

₁)^(2n) and D=(d_(1,1), d_(1,2), . . . , d_(n,1), d_(n,2))∈(

₂)^(2n).

Finally, define an Eval (pp,

,

′) algorithm. The Eval (pp,

,

′) algorithm parses

as ((c _(1,1) ,c _(1,2) , . . . ,c _(n,1) ,c _(n,2)),(d _(1,1) ,d _(1,2) , . . . ,d _(n,1) ,d _(n,2)),τ) and

′ as ((c′ _(1,1) ,c′ _(1,2) , . . . ,c′ _(n,1) ,c′ _(n,2)),(d′ _(1,1) ,d _(1,2) , . . . ,d′ _(n,1) ,d′ _(n,2)),τ). If τ′≠τ, the Eval (pp,

,

′) algorithm returns ⊥. Otherwise, if τ′=τ, the Eval (pp,

,

′) algorithm evaluates the product

$\begin{matrix} {Z:={\prod\limits_{i = 1}^{n}\;{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,2}^{\prime}}} \right)}}}} \\ {= {h{\sum\limits_{i = 1}^{n}\;{\left( {x_{i} - x_{i}^{\prime}} \right)^{2}.}}}} \end{matrix}$ The Eval (pp,

,

′) algorithm then obtains Σ_(i=1) ^(n)(x_(i)−x′_(i))² (mod p) as the discrete logarithm of Z with respect to base h in

_(T).

The correctness of the Eval (pp,

,

′) algorithm is easily verified. From

$\left\{ {\begin{matrix} {{\frac{c_{i,1}}{c_{i,1}^{\prime}} = g_{1}^{{\xi{({x_{i} - x_{i}^{\prime}})}} + {{({r - r^{\prime}})}\mu_{i}}}},} & {{\frac{c_{i,2}}{c_{i,2}^{\prime}} = g_{1}^{{{\alpha\xi}{({x_{i} - x_{i}^{\prime}})}} - {{\beta{({r - r^{\prime}})}}\mu_{i}}}},} \\ {{\frac{d_{i,1}}{d_{i,1}^{\prime}} = g_{2}^{{{\beta\eta}{({x_{i} - x_{i}^{\prime}})}} - {{\alpha{({r - r^{\prime}})}}\mu_{i}}}},} & {{\frac{d_{i,2}}{d_{i,2}^{\prime}} = g_{2}^{{\eta{({x_{i} - x_{i}^{\prime}})}} + {{({r - r^{\prime}})}\mu_{i}}}},} \end{matrix}\quad} \right.$ the following results:

$\begin{matrix} {{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,1}^{\prime}}} \right)}} =} & {{\hat{e}\left( {g_{1}^{{\xi{({x_{i} - x_{i}^{\prime}})}} + {{({r - r^{\prime}})}\mu_{i}}},g_{2}^{{{\beta\eta}{({x_{i} - x_{i}^{\prime}})}} - {{\alpha{({r - r^{\prime}})}}\mu_{i}}}} \right)} \cdot {\hat{e}\left( {g_{1}^{{{\alpha\xi}{({x_{i} - x_{i}^{\prime}})}} - {{\beta{({r - r^{\prime}})}}\mu_{i}}},g_{2}^{{\eta{({x_{i} - x_{i}^{\prime}})}} + {{({r - r^{\prime}})}\mu_{i}}}} \right)}} \\ {=} & {{\hat{e}\left( {g_{1},g_{2}} \right)}^{{{({{\xi{({x_{i} - x_{i}^{\prime}})}} + {{({r - r^{\prime}})}\mu_{i}}})} \cdot {({{{\beta\eta}{({x_{i} - x_{i}^{\prime}})}} - {{\alpha{({r - r^{\prime}})}}\mu_{i}}})}} + {{({{{\alpha\xi}{({x_{i} - x_{i}^{\prime}})}} - {{\beta{({r - r^{\prime}})}}\mu_{i}}})} \cdot {({{\eta{({x_{i} - x_{i}^{\prime}})}} + {{({r - r^{\prime}})}\mu_{i}}})}}}} \\ {=} & {{\hat{e}\left( {g_{1},g_{2}} \right)}^{{{({\alpha + \beta})}{{\xi\eta}{({x_{i} - x_{i}^{\prime}})}}^{2}} - {{({\alpha + \beta})}{({r - r^{\prime}})}^{2}\mu_{i}^{2}}}.} \end{matrix}$

As a result, the following is obtained:

$\begin{matrix} {Z\text{:=}\mspace{14mu}{\prod\limits_{i = 1}^{n}\;{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,2}^{\prime}}} \right)}}}} \\ {= {\prod\limits_{i = 1}^{n}\;{{\hat{e}\left( {g_{1},g_{2}} \right)}^{{({\alpha + \beta})}{{\xi\eta}{({x_{i} - x_{i}^{\prime}})}}^{2}} \cdot {\hat{e}\left( {g_{1},g_{2}} \right)}^{{- {({\alpha + \beta})}}{({r - r^{\prime}})}^{2}\mu_{i}^{2}}}}} \\ {= h^{{\Sigma_{i = 1}^{n}{({x_{i} - x_{i}^{\prime}})}}^{2}}} \end{matrix}$ which is the desired result.

The second scheme may be described by the following steps.

First, define a Setup (1^(K),n) algorithm. On input security parameter 1^(K), the Setup (1^(K),n) algorithm generates the tuple (

,

_(T),ê) where

=

g

and

_(T) are (multiplicatively written) groups whose order is |

|=|

_(T)|=p with p prime, and ê:

×

→

_(T) is a bilinear pairing. The message space

is a subset of (

_(p))^(n). The Setup (1^(K),n) algorithm also selects n+6 elements α,β,γ,δ,ξ,η,μ₁, . . . ,μ_(n)∈

_(p) p such that: (1+α²+γ²)ξ²+(1+β²+δ²)η²≢0(mod p); and Σ_(i=1) ^(n)μ_(i) ²≡0(mod p).

The Setup (1^(K),n) algorithm defines h=ê(g,g)^((1+α) ² ^(+γ) ² ^()ξ) ² ^(+(1+β) ² ^(+δ) ² ^()η) ² ∈

_(T). Finally, the Setup (1^(K),n) algorithm selects a pseudo-random function family, F_(K):{0,1}*×{1, . . . , n}→

_(p), indexed by a secret key and randomly chooses

$K\overset{\$}{\leftarrow}{{KeyGen}\mspace{14mu}{\left( 1^{\kappa} \right).}}$

The public parameters are pp=(ê,

,

_(T),p,h) and the secret key is sk=(g,α,β,γ,δ,ξ,η,{μ_(i)}_(1≤i≤n),F_(K),K). This is the public key and the private key.

Next, define a Enc (sk,{right arrow over (x)},τ) algorithm. The encryption of message {right arrow over (x)}=(x₁, . . . , x_(n))∈

with tag τ is obtained in two steps as:

1) choose uniformly at random

${r\overset{\$}{\leftarrow}{\mathbb{Z}}_{p}};$ and

2) for 1≤i≤n, compute t₁=F_(K)(τ,i) and

$\left\{ {\begin{matrix} {{c_{i,1} = g^{{\xi{({x_{i} + t_{i}})}} - {{({{\alpha\delta} - {\beta\gamma}})}r\;\mu_{i}}}},} & {{c_{i,2} = g^{{\eta{({x_{i} + t_{i}})}} - {*{({{\alpha\delta} - {\beta\gamma}})}r\;\mu_{i}}}},} \\ {{{c_{i,3} = g^{{{\alpha\xi}{({x_{i} + t_{i}})}} + {{({\gamma + \delta})}r\;\mu_{i}}}},}\mspace{14mu}} & {{{c_{i,4} = g^{{- {{\beta\eta}{({x_{i} + t_{i}})}}} + {{({\gamma + \delta})}r\;\mu_{i}}}},}\;} \\ {{c_{i,5} = g^{{- {{\gamma\xi}{({x_{i} + t_{i}})}}} + {{({\alpha - \beta})}r\;\mu_{i}}}},} & {{{c_{i,6} = g^{{{\delta\eta}{({x_{i} + t_{i}})}} + {{({\alpha + \beta})}r\;\mu_{i}}}},}\mspace{14mu}} \end{matrix}\quad} \right.$

The ciphertext is

=(C,τ) with C=(c _(1,1) ,c _(1,2) ,c _(1,3) ,c _(1,4) ,c _(1,5) ,c _(1,6) , . . . ,c _(n,1) ,c _(n,2) ,c _(n,3) ,c _(n,4) ,c _(n,5) ,c _(n,6))∈(

)^(6n).

Finally, define an Eval (pp,

,

′) algorithm. The Eval (pp,

,

′) algorithm parses

as ((c _(1,1) ,c _(1,2) ,c _(1,3) ,c _(1,4) ,c _(1,5) ,c _(1,6) , . . . ,c _(n,1) ,c _(n,2) ,c _(n,3) ,c _(n,4) ,c _(n,5) ,c _(n,6)),τ) and

′ as ((c′ _(1,1) ,c′ _(1,2) ,c′ _(1,3) ,c′ _(1,4) ,c′ _(1,5) ,c′ _(1,6) , . . . ,c′ _(n,1) ,c′ _(n,2) ,c′ _(n,3) ,c′ _(n,4) ,c′ _(n,5) ,c′ _(n,6)),τ′).

If τ′≠τ, the Eval (pp,

,

′) algorithm returns ⊥. Otherwise, if τ′=τ, it evaluates the product

$\begin{matrix} {Z\text{:=}\mspace{14mu}{\prod\limits_{i = 1}^{n}\;{\prod\limits_{j = 1}^{6}\;{\hat{e}\left( {\frac{c_{i,j}}{c_{i,j}^{\prime}},\frac{c_{i,j}}{c_{i,j}^{\prime}}} \right)}}}} \\ {= {h^{{\Sigma_{i = 1}^{n}{({x_{i} - x_{i}^{\prime}})}}^{2}}.}} \end{matrix}$

The Eval (pp,

,

′) algorithm then obtains Σ_(i=1) ^(n)(x₁−x′_(i))² (mod p) as the discrete logarithm of Z with respect to base h in

_(T).

The correctness of the Eval (pp,

,

′) algorithm is easily verified. From

$\left\{ \begin{matrix} {{\frac{c_{i,1}}{c_{i,1}^{\prime}} = g^{{\xi{({x_{i} - x_{i}^{\prime}})}} - {{({{\alpha\delta} - {\beta\gamma}})}{({r - r^{\prime}})}\mu_{i}}}},} & {{\frac{c_{i,2}}{c_{i,2}^{\prime}} = g^{{\eta{({x_{i} - x_{i}^{\prime}})}} - {{({{\alpha\delta} - {\beta\gamma}})}{({r - r^{\prime}})}\mu_{i}}}},} \\ {{\frac{c_{i,3}}{c_{i,3}^{\prime}} = g^{{{\alpha\xi}{({x_{i} - x_{i}^{\prime}})}} + {{({\gamma + \delta})}{({r - r^{\prime}})}\mu_{i}}}},} & {{\frac{c_{i,4}}{c_{i,4}^{\prime}} = g^{{- {{\beta\eta}{({x_{i} - x_{i}^{\prime}})}}} + {{({\gamma + \delta})}{({r - r^{\prime}})}\mu_{i}}}},} \\ {{\frac{c_{i,5}}{c_{i,5}^{\prime}} = g^{{- {{\gamma\xi}{({x_{i} - x_{i}^{\prime}})}}} + {{({\alpha + \beta})}{({r - r^{\prime}})}\mu_{i}}}},} & {\frac{c_{i,6}}{c_{i,6}^{\prime}} = {g^{{{\delta\beta}{({x_{i} - x_{i}^{\prime}})}} + {{({\alpha + \beta})}{({r - r^{\prime}})}\mu_{i}}}.}} \end{matrix} \right.$ the following results:

$\begin{matrix} {{\prod\limits_{j = 1}^{6}\;{\hat{e}\left( {\frac{c_{i,j}}{c_{i,j}^{\prime}},\frac{c_{i,j}}{c_{i,j}^{\prime}}} \right)}} =} & {{\hat{e}\left( {g,g} \right)}^{{\lbrack{{\xi{({x_{i} - x_{i}^{\prime}})}} - {{({{\alpha\delta} - {\beta\gamma}})}{({r - r^{\prime}})}\mu_{i}}}\rbrack}^{2}} \cdot {\hat{e}\left( {g,g} \right)}^{{\lbrack{{\eta{({x_{i} - x_{i}^{\prime}})}} - {{({{\alpha\delta} - {\beta\gamma}})}{({r - r^{\prime}})}\mu_{i}}}\rbrack}^{2}} \cdot} \\  & {{\hat{e}\left( {g,g} \right)}^{{\lbrack{{{\alpha\xi}{({x_{i} - x_{i}^{\prime}})}} + {{({{\gamma 3}~\delta})}{({r - r^{\prime}})}\mu_{i}}}\rbrack}^{2}} \cdot {\hat{e}\left( {g,g} \right)}^{{\lbrack{{- {{\beta\eta}{({x_{i} - x_{i}^{\prime}})}}} + {{({\gamma + \delta})}{({r - r^{\prime}})}\mu_{i}}}\rbrack}^{2}} \cdot} \\  & {{\hat{e}\left( {g,g} \right)}^{{\lbrack{{- {{\gamma\xi}{({x_{i} - x_{i}^{\prime}})}}} + {{({\alpha + \beta})}{({r - r^{\prime}})}\mu_{i}}}\rbrack}^{2}} \cdot {\hat{e}\left( {g,g} \right)}^{{\lbrack{{{\delta\eta}{({x_{i} - x_{i}^{\prime}})}} + {{({\alpha + \beta})}{({r - r^{\prime}})}\mu_{i}}}\rbrack}^{2}}} \\ {=} & {{\hat{e}\left( {g,g} \right)}^{{{{{\lbrack{\xi^{2} + \eta^{2} + {({\alpha\xi})}^{2} + {({\beta\eta})}^{2} + {({\gamma\xi})}^{2} + {({\beta\eta})}^{2}}\rbrack}{({x_{i} - x_{i}^{\prime}})}^{2}} + {2\lbrack{{({{\alpha\delta} - {\beta\gamma}})}^{2} + {({\gamma + \beta})}^{2} + {({\alpha + \beta})}^{2}})}}\rbrack}{({r - r^{\prime}})}^{2}\mu_{i}^{2}}.} \end{matrix}$

As a result, the following is obtained:

$\begin{matrix} {Z\text{:=}\mspace{14mu}{\prod\limits_{i = 1}^{n}\;{\prod\limits_{j = 1}^{6}\;{\hat{e}\left( {\frac{c_{i,j}}{c_{i,j}^{\prime}},\frac{c_{i,j}}{c_{i,j}^{\prime}}} \right)}}}} \\ {= h^{{\Sigma_{i = 1}^{n}{({x_{i} - x_{i}^{\prime}})}}^{2}}} \end{matrix}$ which is the desired result.

The embodiments described above may be used in various applications. For example, in privacy-preserving applications, the evaluation of distance between two vectors serves many different applications. Two categories are focused on: (i) evaluation of distance between two vectors for machine learning algorithms; and (ii) evaluation of physical proximity.

First, application of the embodiments to machine learning will be described. Very large sample sets can require a lot of storage and computational resources in order to carry out the algorithm. In order to be able to handle large datasets, the computation will be offloaded to a datacenter such a cloud computing platform. However, the raw data or feature vectors can often constitute a valuable training set that cannot be released due to privacy concerns, financial value, etc. Therefore machine learning on the data should be performed without actually exposing the data to the server.

Many useful machine learning algorithms for clustering and classification of data use the distance between data-points or the feature vectors extracted from the data. These include known spectral clustering and classification methods. For instance the Gaussian kernel may be applied with the form

$e^{- \frac{||{\overset{\rightarrow}{x} - \overset{\rightarrow}{y}}||^{2}}{2\sigma^{2}}}$ to separate points lying on concentric circles using a linear classifier.

Distances are used to calculate adjacency matrices which are used to compute Laplacian or diffusion matrices. The spectral decomposition of these matrices and choice of the eigenvectors corresponding to the largest eigenvalues result in an often useful non-linear dimensionality reduction of the data. Non-linear dimensionality reduction has been successfully applied to such tasks as computer vision, image classification and segmentation, speaker identification and verification, anomaly detection, etc.

Second, application of the embodiments to private evaluation of geo-proximity will be described. A central service is proposed that users may enroll in to get notifications when they are in proximity to a friend, similar to features supported nowadays by social networks. Two users U_(i) and U_(j), who are interested in discovering when they are near one another, enroll in the service after generating a shared key. They occasionally submit their coordinates to the server, encrypted using the schemes described above, using the pre-shared key and a common tag. The pseudo random function used to generate the common tag may incorporate the time in order to prevent evaluating the distance with a prior location ciphertext.

The server evaluates distances for all pairs i,j that share a common tag, and notifies users whose distance from one another is below a specified threshold. Such a service eliminates the need to broadcast location to all social contacts, and instead just send it to the server.

Next, application of the embodiments to two-factor biometric and digital authentication is described. It is proposed to use distance evaluation for fuzzy-matching of biometric credentials. Biometric patterns matching has to allow for small mismatches due to the fuzzy nature of biometric credentials. The matching of biometric credentials therefore measures whether the distance between the stored reference pattern, and the reading is below a certain predefined threshold.

Due to the sensitivity of biometric credentials, it is desirable to avoid storing the biometric credentials in the clear in a central database. A biometric authentication system may include a central service with a database that stores encrypted biometric credentials, smart-IDs (electronic tokens) distributed to users, and biometric readers. An important point is that the biometric readers do not store any data in the clear, but rather encrypt it using encryption keys provided by the smart-IDs.

Any combination of specific software running on a processor to implement the embodiments of the invention, constitute a specific dedicated machine.

As used herein, the term “non-transitory machine-readable storage medium” will be understood to exclude a transitory propagation signal but to include all forms of volatile and non-volatile memory. Further, as used herein, the term “processor” will be understood to encompass a variety of devices such as microprocessors, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), and other similar processing devices. When software is implemented on the processor, the combination becomes a single specific machine.

It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principles of the invention.

Although the various exemplary embodiments have been described in detail with particular reference to certain exemplary aspects thereof, it should be understood that the invention is capable of other embodiments and its details are capable of modifications in various obvious respects. As is readily apparent to those skilled in the art, variations and modifications can be effected while remaining within the spirit and scope of the invention. Accordingly, the foregoing disclosure, description, and figures are for illustrative purposes only and do not in any way limit the invention, which is defined only by the claims. 

What is claimed is:
 1. A method performed by a server for performing distance revealing encryption, comprising: generating a tuple (

₁,

₂,

_(T), ê), where

₁=

g₁

,

₂=

g₂

and

_(T) are groups whose order is |

₁|=|

₂|=|

_(T)|=p with p prime and ê:

₁×

₂→

_(T) is a bilinear pairing and is non-degenerate; randomly select a first plurality of elements and a second plurality of elements, wherein the first plurality of elements are α, β, ξ, η and are selected such that (α+β)ξη≢0(mod p), and wherein the second plurality of elements are μ₁, . . . , μ_(n) and are selected such that Σ_(i=1) ^(n)μ_(i) ²≡0(mod p); defining a parameter h that is based upon ê, g₁, g₂, and the first plurality of elements, wherein the parameter h=ê(g₁,g₂)^((α+β)ξη); selecting a pseudo-random function family indexed by a secret key K; setting public parameters as ê,

₁,

₂,

_(T), p, h; setting private parameters as g₁, g₂, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret key K; encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of components in the message by: choosing a random value r; computing a plurality of values of the pseudo random function family; and computing a first plurality of ciphertext values based upon g₁, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}; and computing a second plurality of ciphertext values based upon g₂, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}, wherein the server evaluates distances and notifies users whose distance from one another is below a specified threshold.
 2. The method of claim 1, wherein the first plurality of ciphertext values are calculated as c_(i,1)=g₁ ^(ξ(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i and c) _(i,2)=g₁ ^(α(x) ^(i) ^(+t) ^(i) ^()-βrμ) ^(i) for 1≤i≤n, where t_(i) are the plurality of values of the pseudo random function, and the second plurality of ciphertext values are calculated as d_(i,1)=g₂ ^(βη(x) ^(i) ^(+t) ^(i) ^()-αrμ) ^(i) and d_(i,2)=g₂ ^(η(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i) for 1≤i≤n.
 3. The method of claim 2, wherein t_(i)=F_(K)(τ,i) where tag r is a value associated with the message {right arrow over (x)}.
 4. The method of claim 2, further comprising determining the distance between two encrypted messages {right arrow over (x)} and {right arrow over (x)}′ by calculating: $Z\mspace{14mu}\text{:=}\mspace{14mu}\Pi_{i = 1}^{n}{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {{\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,2}^{\prime}}} \right)}.}}$
 5. A method performed by a server for performing distance revealing encryption, comprising: generating a tuple (

,

_(T), ê), where

=

g

and

_(T) are groups whose order is |

|=|

_(T)|=p with p prime and ê:

×

→

_(T) is a bilinear pairing and is non-degenerate; randomly select a first plurality elements and a second plurality of elements, wherein the first plurality of elements are α, β, γ, δ, ξ, η and are selected such that (1+α²+γ²)ξ²+(1+β²+δ²)η²≢0(mod p), and the second plurality of elements are μ₁, . . . , μ_(n) and are selected such that Σ_(i=1) ^(n)μ_(i) ²≢0(mod p); defining a parameter h that is based upon {right arrow over (e)}, g, and the first plurality of elements, wherein the parameter h=ê(g,g)^((1+α) ² ^(+γ) ² ^()ξ) ² ^(+(1+β) ² ^(+δ) ² ^()η) ² ; selecting a pseudo-random function family indexed by a secret key K; setting public parameters as ê,

,

_(T), p, h, setting private parameters as g, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret key K; encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of elements in the message by: choosing a random value r; computing a plurality of values of the pseudo random function; and computing a plurality of ciphertext values based upon g, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}, wherein the server evaluates distances and notifies users whose distance from one another is below a specified threshold.
 6. The method of claim 5, wherein the plurality of ciphertext values are calculated as c_(i,1)=g^(ξ(x) ^(i) ^(+t) ^(i) ^()-(αδ-βγ)rμ) ^(i) , c_(i,2)=g^(η(x) ^(i) ^(+t) ^(i) ^()-(αδ-βγ)rμ) ^(i) , c_(i,3)=g^(αξ(x) ^(i) ^(+t) ^(i) ^()+(γ+δ)rμ) ^(i) , c_(i,4)=g^(−βη(x) ^(i) ^(+t) ^(i) ^()+(γ+δ)rμ) ^(i) , c_(i,5)=g^(−γξ(x) ^(i) ^(+t) ^(i) ^()+(α+β)rμ) ^(i) , and c_(i,6)=g^(δη(x) ^(i) ^(+t) ^(i) ^()+(α+β)rμ) ^(i) for 1≤i≤n, where t_(i) are the plurality of values of the pseudo random function.
 7. The method of claim 6, wherein t_(i)=F_(K)(τ,i) where tag τ is a value associated with the message {right arrow over (x)}.
 8. The method of claim 6, further comprising determining the distance between two encrypted messages {right arrow over (x)} and {right arrow over (x)}′ by calculating: $Z\mspace{14mu}\text{:=}\mspace{14mu}\Pi_{i = 1}^{n}\Pi_{j = 1}^{6}{{\hat{e}\left( {\frac{c_{i,j}}{c_{i,j}^{\prime}},\frac{c_{i,j}}{c_{i,j}^{\prime}}} \right)}.}$
 9. A non-transitory machine-readable storage medium encoded with instructions, that when executed by a processor, perform a distance revealing encryption, comprising: instructions for generating a tuple (

z,

₂,

_(T), {right arrow over (e)}), where

_(z)=

g₁

,

₂=

g₂

and

_(T) are groups whose order is |

₁|=|

₂|=|

_(T)|=p with p prime and {right arrow over (e)}:

₁×

₂→

_(T) is a bilinear pairing and is non-degenerate; instructions for randomly select a first plurality elements and a second plurality of elements, wherein the first plurality of elements are α, β, ξ, η and are selected such that (α+β)ξη≢0(mod p), and wherein the second plurality of elements are μ₁, . . . , μ_(n) and are selected such that Σ_(i=1) ^(n)μ_(i) ²≢0(mod p); instructions for defining a parameter h that is based upon {right arrow over (e)},

₁,

₂, and the first plurality of elements, wherein the parameter h={right arrow over (e)}(g₁,g₂)^((α+β)μη); instructions for selecting a pseudo-random function family indexed by a secret key K; instructions for setting public parameters as {right arrow over (e)},

₁,

₂,

_(T), p, h; instructions for setting private parameters as g₁, g₂, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret key K; instructions for encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of components in the message by: choosing a random value r; computing a plurality of values of the pseudo random function; and computing a first plurality of ciphertext values based upon g₁, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}; and computing a second plurality of ciphertext values based upon g₂, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}, wherein only a distance between plaintext messages can be inferred from corresponding ciphertext values of the first and second plurality of ciphertext values.
 10. The non-transitory machine-readable storage medium of claim 9, wherein the first plurality of ciphertext values are calculated as c_(i,1)=g^(ξ(x) ^(i) ^(+t) ^(i) ^()rμ) ^(i) and c_(i,2)=g₁ ^(α(x) ^(i) ^(+t) ^(i) ^()-βrμ) ^(i) for 1≤i≤n, where t_(i) are the plurality of values of the pseudo random function, and the second plurality of ciphertext values are calculated as d_(i,1)=g₂ ^(βη(x) ^(i) ^(+t) ^(i) ^()-αrμ) ^(i) and d_(1,2)=q₂ ^(η(x) ^(i) ^(+t) ^(i) ^()+rμ) ^(i) for 1≤i≤n.
 11. The non-transitory machine-readable storage medium of claim 10, wherein t_(i)=F_(K)(τ,i) where tag τ is a value associated with the message {right arrow over (x)}.
 12. The non-transitory machine-readable storage medium of claim 10, further comprising determining the distance between two encrypted messages {right arrow over (x)} and {right arrow over (x)}′ by calculating: $Z\mspace{14mu}\text{:=}\mspace{14mu}\Pi_{i = 1}^{n}{{\hat{e}\left( {\frac{c_{i,1}}{c_{i,1}^{\prime}},\frac{d_{i,1}}{d_{i,1}^{\prime}}} \right)} \cdot {{\hat{e}\left( {\frac{c_{i,2}}{c_{i,2}^{\prime}},\frac{d_{i,2}}{d_{i,2}^{\prime}}} \right)}.}}$
 13. A non-transitory machine-readable storage medium encoded with, that when executed by a processor, perform a distance revealing encryption, comprising: instructions for generating a tuple (

,

_(T), ê), where

=

g

and

_(T) are groups whose order is |

|=|

_(T)|=p with p prime and ê:

×

→

_(T) is a bilinear pairing and is non-degenerate; instructions for randomly select a first plurality of elements and a second plurality of elements, wherein the first plurality of elements are α, β, γ, δ, ξ, η and are selected such that (1+α²+γ²)τ²+(1+β²+δ²)∂²≢0(mod p), and wherein the second plurality of elements are μ₁, . . . , μ_(n) and are selected such that Σ_(i=1) ^(n)μ_(i) ²≢0(mod p); instructions for defining a parameter h that is based upon ê, g, and the first plurality of elements, wherein the parameter h={right arrow over (e)}(g,g)^((1+α) ² ^(+γ) ² ^()ξ) ² ^(+(1+β) ² ^(+δ) ² ^()η) ² ; instructions for selecting a pseudo-random function family indexed by a secret key K; instructions for setting public parameters as {right arrow over (e)},

,

_(T), p, h, instructions for setting private parameters as g, the first plurality of elements, the second plurality of elements, the pseudo-random function family, and the secret key K; instructions for encrypting a message {right arrow over (x)}=(x₁, . . . , x_(n)), when n is the number of elements in the message by: choosing a random value r; computing a plurality of values of the pseudo random function; and computing a plurality of ciphertext values based upon g, the random value r, the first plurality of elements, the second plurality of elements, the plurality of values of the pseudo random function, and message {right arrow over (x)}, wherein only a distance between plaintext messages can be inferred from corresponding ciphertext values of the first and second plurality of ciphertext values.
 14. The non-transitory machine-readable storage medium of claim 13, wherein the plurality of ciphertext values are calculated as c_(i,1)=g^(ξ(x) ^(i) ^(+t) ^(i) ^()-(αδ-βγ)rμ) ^(i) , c_(i,2)=g^(η(x) ^(i) ^(+t) ^(i) ^()-(αδ-βγ)rμ) ^(i) , c_(i,3)=g^(αξ(x) ^(i) ^(+t) ^(i) ^()+(γ+δ)rμ) ^(i) , c_(i,4)=g^(−βη(x) ^(i) ^(+t) ^(i) ^()+(γ+δ)rμ) ^(i) , c_(i,5)=g^(−γξ(x) ^(i) ^(+t) ^(i) ^()+(α+β)rμ) ^(i) , and c_(i,6)=g^(δη(x) ^(i) ^(+t) ^(i) ^()+(α+β)rμ) ^(i) for 1≤i≤n, where t_(i) are the plurality of values of the pseudo random function.
 15. The non-transitory machine-readable storage medium of claim 14, wherein t_(i)=F_(K)(τ,i) where tag r is a value associated with the message {right arrow over (x)}.
 16. The non-transitory machine-readable storage medium of claim 14, further comprising determining the distance between two encrypted messages {right arrow over (x)} and {right arrow over (x)}′ by calculating: $Z\mspace{14mu}\text{:=}\mspace{14mu}\Pi_{i = 1}^{n}\Pi_{j = 1}^{6}{{\hat{e}\left( {\frac{c_{i,j}}{c_{i,j}^{\prime}},\frac{c_{i,j}}{c_{i,j}^{\prime}}} \right)}.}$ 